What Is a Technology Control Plan?
A Technology Control Plan, commonly referred to as a TCP, is a formal written document that describes how an organization will prevent unauthorized access to export-controlled technology, technical data, and defense articles by foreign nationals. In the context of the International Traffic in Arms Regulations (ITAR), a TCP establishes the specific procedures, physical controls, personnel requirements, and oversight mechanisms your organization uses to ensure that access to controlled information and hardware remains lawful.
Think of a TCP as the operational manual for your export control environment. It does not replace your broader ITAR compliance program, but it functions as a critical component of it — one that specifically addresses the risk created whenever foreign persons are present in, or employed by, your organization.
A well-structured TCP answers several core questions: What controlled technology do we possess? Where is it located? Who has access to it? How do we restrict that access from unauthorized foreign nationals? What training do our employees receive? How do we document and audit compliance?
Why Technology Control Plans Matter Under ITAR
Under ITAR, sharing controlled technical data or providing access to defense articles to a foreign national — even on U.S. soil — constitutes a deemed export. This is one of the most frequently misunderstood concepts in export control compliance. When a foreign national views a controlled drawing, accesses an engineering system, or walks through a restricted manufacturing floor, a deemed export may have occurred. Without a TCP, your organization has no documented framework for preventing or tracking these events.
The Directorate of Defense Trade Controls (DDTC), the State Department office that enforces ITAR, expects registrants to demonstrate active, documented controls over access to defense articles and technical data. A TCP is the primary mechanism for doing exactly that. If your organization is ever subject to a DDTC audit or compliance review, your TCP will be among the first documents requested. Organizations that cannot produce one — or produce one that is superficial and clearly not implemented — face significant exposure.
If you want a broader understanding of what DDTC examiners look for, review our ITAR audit readiness checklist.
Who Is Required to Have a Technology Control Plan?
There is no single regulatory provision in ITAR that states, in plain language, "you must have a Technology Control Plan." However, the requirement is effectively compelled by a combination of ITAR obligations, DDTC guidance, government contract requirements, and enforcement precedent. The following categories of organizations should treat a TCP as mandatory:
ITAR-Registered Companies with Foreign National Employees or Visitors
Any company registered with DDTC that employs foreign nationals or regularly receives foreign national visitors must have a TCP. The TCP defines the access boundaries for those individuals and demonstrates that the company has evaluated the deemed export risk and implemented appropriate controls. This is the most common trigger for TCP development.
Defense Contractors Operating Under DSP-5, DSP-61, or Other Export Licenses
When DDTC issues an export license, it often includes a provisio requiring the applicant to maintain a TCP or implement specific access controls. Failure to maintain the required TCP in connection with a license can result in violations independent of any actual unauthorized transfer. If your organization holds or has applied for export licenses, review each license carefully for TCP-related conditions.
Companies with Government-Furnished Property or Controlled Technical Data
Defense contractors who receive government-furnished equipment, drawings, specifications, or technical data as part of a contract are often contractually required to demonstrate controlled access. Many prime contractors flow down TCP requirements to subcontractors through contract clauses. If you are a subcontractor in the defense industrial base, check your teaming agreements and subcontract terms.
Universities and Research Institutions with ITAR-Controlled Research Programs
Academic institutions that conduct research involving defense articles or ITAR-controlled technical data — particularly when foreign national students, postdoctoral researchers, or faculty are involved — need TCPs. The fundamental research exclusion has limits, and universities regularly misjudge where those limits apply. A TCP documents how the institution separates controlled research from open research environments.
Aerospace and Manufacturing Firms
Companies in aerospace and defense manufacturing routinely handle ITAR-controlled hardware, software, and technical data across their facilities. Foreign nationals on the shop floor, in engineering departments, or in IT environments create deemed export risk that only a TCP can systematically address. For a deeper look at compliance obligations specific to this sector, see our guide to ITAR compliance for the aerospace industry.
What Must a Technology Control Plan Include?
While the specific content of a TCP can vary based on your organization's size, structure, and the nature of the controlled technology you handle, DDTC and industry best practice point to a consistent set of required elements:
- Scope and purpose: A description of the controlled technology, technical data, or defense articles covered by the TCP and the legal basis for the controls.
- Organizational roles and responsibilities: Identification of the Empowered Official, compliance personnel, and department-level responsibilities for implementing TCP requirements.
- Foreign national access procedures: Specific procedures governing when and how foreign nationals may access controlled areas, systems, or data — including screening, authorization, and escort requirements.
- Physical security controls: Description of access-controlled areas, locked storage, signage, and visitor management procedures.
- Information technology controls: Network segmentation, system access restrictions, and procedures for preventing foreign nationals from accessing controlled data on IT systems.
- Training requirements: Frequency, content, and documentation of ITAR training for employees who work with or near controlled technology.
- Recordkeeping: How the organization documents access events, training completion, visitor logs, and license activities.
- Audit and review procedures: How and when the TCP itself is reviewed, updated, and internally audited for effectiveness.
- Incident reporting: Procedures for identifying, escalating, and reporting potential violations to DDTC and internal leadership.
For organizations that handle both ITAR-controlled technical data and Controlled Unclassified Information (CUI), there is significant overlap between TCP requirements and the controls required under CMMC and NIST SP 800-171. Our ITAR and Export Controls Compliance services help organizations build TCPs that satisfy DDTC expectations while integrating with their broader cybersecurity compliance programs.
Common TCP Weaknesses That Create Enforcement Risk
After reviewing dozens of TCPs across defense contractors, manufacturers, and research institutions, we consistently see the same deficiencies. These are the gaps that create the greatest exposure:
- TCPs that exist on paper but are never implemented. A document that sits in a file cabinet and is never communicated to employees is not a compliance program — it is a liability.
- Failure to update after personnel changes. When the Empowered Official changes, or when a new product line is acquired, the TCP must be updated to reflect the current state of the organization.
- Inadequate IT controls. Many TCPs describe physical access controls in detail but say little about how controlled technical data is protected on IT systems, cloud environments, or collaboration platforms.
- Missing or inconsistent training records. DDTC examiners ask for evidence that training occurred. Undocumented training is treated the same as no training.
- Visitor management gaps. Foreign national visitors must be screened, escorted, and documented. Organizations without structured visitor protocols are particularly vulnerable during facility audits.
Proper visitor management is a foundational TCP requirement. Physical controls such as badging, sign-in logs, and access restriction signage are part of a complete TCP implementation. Our overview of visitor badges under ITAR and EAR explains how these physical controls connect to your broader compliance obligations.
How to Develop or Strengthen Your Technology Control Plan
Developing an effective TCP requires a clear understanding of what technology you control, where it lives, who has access to it, and what your license conditions require. The process typically involves a technology inventory, a foreign national access risk assessment, physical and IT controls mapping, and a gap analysis against DDTC expectations.
For organizations building compliance programs from the ground up, our Compliance Program Development services provide a structured approach to TCP development that is integrated with your ITAR registration, license management, and broader export compliance obligations.
Organizations that already have a TCP should conduct periodic internal reviews to verify that the document reflects current operations, that controls are actually functioning, and that employees are trained and accountable. If your program has not been formally reviewed in the past 12 months, that gap itself represents risk.
The Bottom Line on Technology Control Plans
A Technology Control Plan is not optional if your organization is registered under ITAR, employs or receives foreign nationals, holds export licenses with TCP conditions, or handles controlled technical data as part of government contracts. It is a foundational compliance document that demonstrates your organization takes its export control obligations seriously — and one that DDTC will look for if your program ever comes under scrutiny.
The consequences of inadequate TCP implementation range from license revocations and consent agreements to civil penalties that can reach millions of dollars per violation. More importantly, a well-implemented TCP protects the national security information your government contracts depend on you to safeguard.
If you are uncertain whether your organization needs a TCP, or if you have one that needs to be strengthened, Cleared Systems is ready to help. Request a quote today to speak with our ITAR compliance team about a TCP assessment, development, or review engagement tailored to your organization's specific obligations and risk profile.